The engineering culture behind AAA video games is rotten to the core with regards to security. Everyone thinks they're making Doom 3 and they're really making Windows 2000 Service Pack 1.
The problem in big part stems from the business culture upstream. They're trying to produce a game, but what they're really after is e-sports money. They design multiplayer to be about organized pro play, which brings in all the cheating problems of professional sports, so they end up subjecting every player to e-sports-grade security like those anti-cheat systems, despite 99.9% of the player base not caring about pro play in the first place.
This is the worst possible combination: players are forced to accept first-party invasive rootkits that are disruptive and ineffective, while cheaters still cheat.
IMHO the only sensible solution is to separate out e-sports angle from the game itself. People who want to "go pro" would be free to subject themselves to anti-cheats and drinking verification cans and past some point might as well buy company-authorized computers to play on. Everyone else should just be allowed to play casually and enjoy the game without the anti-cheat nuisance (and a looming threat of false positive).
With main incentive for serious cheating separated out, non-pro players would only have to worry about griefers. Those are a problem too, but they can be dealt with by simpler and less invasive measures than a kernel-level rootkit.
As it is, AAA multiplayer games are basically like if FIFA was to micromanage Town Recreational Leagues and hold them to the World Cup standard, because cheating is a Big Deal so every kid needs to take regular blood tests before the match.
I don’t work in gaming, I know a few people who do, everyone of them does it for the love of the game. Certainly not for the job security or even the money. This idea that they’re also to handle security is too much. It’s not their fault, they’re writing “art” not secure micro services for multi national companies.
Publishers will pay to have 0level kernel ring on your system but not for software securing their game.
> the game runs with admin privileges for the sake of anti-cheat
Nobody higher than the devs thought “this might be risky?”
Because can assure you, the devs felt it stupid and risky.
Your “Everyone thinks their making doom 3”. As I see this is not the developer fault.
I've done IT support for a number of devs across multiple companies and they all expect local admin and admin access to everything. So no, I don't believe they feel it is risky. I believe they don't get it/don't care. It's just not their wheelhouse.
Why would there be a strong engineering culture behind AAA video games at all? Game developers are underpaid, overworked and constantly told they can be replaced at a moments notice.
I wouldn't expect anything but code that "ships" out of them, and its understandable why.
It’s definitely games that are the problem. There’s no way that websites are still embedding third party code that is just slopped together shit and wildly vulnerable [0]. Or that domain registrars, one of the core points of trust of the internet would lie about their security practices and be sued by the FTC almost a decade after it[1]. Or that an endpoint management system would take down multiple airports due to basic bounds checks missing [2]. How about a massive software company used by huge enterprises for storing their knowledge bases having an RCE [3]. A global CDN definitely wouldn’t break DNS and take down half the internet [4].
Now you might say, those companies are irresponsible and that well maintained open source software doesn’t have this issue. That would mean no 0 days for linux [5], and that the most battle tested libraries in the world are immune from basic issues [6][7].
Software engineering is broken, it’s not just games. (Although, if you think physical construction is any better I suggest you stick a T square in the corners of your house and figure out how many of your walls aren’t square ). You
These are game developers. Not backend developers. Not web guys. Not remotely trained in infosec. They make games. Not security software. And for the longest time this was acceptable.
I think for a GaaS in 2025 it's unacceptable to not have security minded engineers on staff for the backend stuff. Too much money is involved not to. Especially for studios very familiar with shipping online games.
But I'm also kind of disappointed in how much we're forgetting that these people are not infosec nerds. Last year there was a cute fishing game made by a single dude messing around making things. It got popular and a kid found an RCE bug with the multiplayer. The dude got a TON of shit for the flaw, which feels deeply unfair. I don't expect my mom to configure a router correctly. I don't expect video game developers to understand defensive network programming without training.
Maybe I'm just a little frustrated at the Internet largely unable to understand that defensive programming is something that isn't in a game devs trained skills. I would expect better of Netease however
Hey, I feel there's some predisposition in infosec-minded people that insecure software must not exist regardless of its purpose or threat model. And also that people who can't write secure code must not write code...
For some little indie setup, sure. But AAA studios are like any other software companies— the folks putting their network stack together aren’t the same people that are making the gameplay logic, many of whom probably went to art school and learned how to script and write some less-complex C++, and they’re different from the people working with the low-level graphics programming in the game engine, many of whom probably have PhDs in computer science or other related math disciplines. Having a connection low-latency enough and reliable enough to have fighting game tournaments on servers with many thousands of players isn’t a job for a general purpose game developer.
They generally make software that runs with (at least) unrestricted user level access on client devices, as opposed to backend guys who have no client access, and web guys whose code runs in a sandbox.
If anything these devs should be more cautious than the others as the risk to the end user is extreme.
Great commentary, today the industry is focused on delivering free game with tons of cosmetics (which gives a ton of money) but forgetting about performance and security.
Your average networked game these days is probably a bazillion times more secure than one from 20 years ago. It was super common that there were cheat tools to crash all game clients in a match. It was super annoying, we can just be glad that it was usually not used for anything more nefarious.
I was literally thinking about this the other day. There are a ton of games using kernel modules for anti-cheat and... just load and interpret data payloads. Certainly some of those payloads could manipulate the funny machines inside of a game executable if they're not careful about their parsing and validation.
Nice PoC!
Update: yes, most game client processes don't run in the kernel. My b. I was just thinking that updates and content payloads might be an interesting vector for langsec.
Yes. For example world of warcraft's anticheat (warden), although it runs in userspace, has been exploited multiple times to gain RCE/server root after receiving malicious payloads from clients.
Also, if you see content distribution networks the way we've been looking into package managers as a vector distributing poisoned payloads... seems fruitful.
I bought a Steam Deck with the sole purpose of having a cheap, airgapped PC to run games on. Game devs just don't have the incentives or discipline to be trusted with security.
I wish Steam offered a console format of the deck, essentially the same thing, but with better specs, HDMI out and bluetooth for controllers. Would be a massive hit I wager.
The deck already has bluetooth for controllers and HDMI out if you get a standard USB3/HDMI dongle (or their expensive dock).
Essentially all you're asking for them to add is better specs.
In December their revised branding guidelines added a "Powered by SteamOS" badge so presumably 3rd-party boxes with various specs in set-top form factors will be coming before too long:
> The Powered by SteamOS logo indicates that a hardware device will run the
SteamOS and boot into SteamOS upon powering on the device. Partners /
manufacturers will ship hardware with a Steam image in the form provided by and/or developed in close collaboration with Valve.
They tried some years back https://en.wikipedia.org/wiki/Steam_Machine_(computer) but it didn't really hit big. That said recent updates to SteamOS and agreements around logo/branding use hint that we're likely to see a few other options in the coming year or two (alongside some 3rd-party handhelds running SteamOS).
This is what I do, I rarely use it in handheld mode (but I do appreciate the ability to). Valve sells a dock with HDMI out (along with ethernet, USB, etc), and I can confirm that it works wirelessly with Xbox controllers.
I strongly doubt it. Steam already tried releasing a console alternative, Steam boxes, and they massively flopped. By and far the main reason for the Steam deck's success is its portable form factor, not the fact that it's a linux machine that runs games. It succeeded in spite of the software, not because of it.
The overwhelming majority of users are going to want either a "real" (read: Windows) PC, or a "real" (read: the same one their friends have) console.
I thought SteamOS was just some layers on top of Arch.
To not go full Dropbox, but I think if someone wants a Linux PC to run games, it is within the realm for a home PC builder to accomplish. It would otherwise be a tough market to sell, “Buy this gamer PC, less great specs than you would likely pick for yourself and not compatible with the most popular games that have onerous anti-cheat root kits”.
Interestingly, the game doesn't run as admin for any good reason. The first thing I did was only let the launcher and game run as the user with RunAsInvoker. The anticheat alone is allowed RunAsAdmin. At the same time, I don't trust any anticheat. It's probably worse than useless, but it is what it is. I thought Microsoft would clean this up after the Crowdstrike incident for all kernel-level code, but I guess there's no incentive for them to only let game companies request runtime analysis / reports rather than run code. As for the anti-cheat industry, they should focus on patterns of user behavior to help game companies moderate the players as much as neccesary.
I have a related question for you... my kids like Marvel Rivals, but I also use Microsoft family tools to limit their screen time so they don't have Admin accounts. However, the Marvel Rivals anti-cheat makes me enter my password every time they launch. Is there any way for me to create a shortcut or something so Rivals will launch without my password?
I'm not a Windows guy and trying to figure this out has been extremely frustrating...
I tried to get Microsoft to stop signing kernel mode anti-cheat drivers with no result. Even when a vulnerable driver is found the vendor is given way too much time to deploy a fix while the vulnerable build is out in the wild with a valid signature. The signature should be revoked as soon as an exploit is found, it's an anti-cheat driver for video games not essential business/government infrastructure.
If anticheat worked then it would be an interesting, perhaps tolerable tradeoff for some. The reality however is that games are absolutely packed with cheaters, there's an international industry in creating cheats for popular games, so what you get is an arms race that as usual only punishes honest users. It's like DRM, pirates don't seem to have much of a problem, but it sure can hurt the rest of us.
Unfortunately both the executives who buy into these things, and the average consumer, are simply too... simple, to understand or appreciate that.
> Unfortunately both the executives who buy into these things, and the average consumer, are simply too... simple, to understand or appreciate that.
With all due respect, it’s ironic that you’re calling everyone else simple.
Something doesn’t have to be. 100% effective to be a massive deterrent. Cheat prevention is a game of cat and mouse and anti cheat is one of the levers. Here[0] is an example of a popular game with no anti cheat which was completely ruined by cheaters. Did putting EAC into the game stop every single cheater? No. But it did make the experience better for a significant number of players who were having their games destroyed by cheaters.
> the game runs with admin privileges for the sake of anti-cheat
"sake of anti-cheat" should be taken lightly here. There is a reason why all the other sane anti-cheats have at least two applications, the anti cheat service which often runs as admin, and the game, which does not. Running the game as admin is quite frankly inexcusable.
The service often does the network comms and communicates to a kernel-mode driver and/or to the application via IPC or similar. Having defined barriers of separation are good things.
In any case, this POC doesn't have huge implications necessarily for most people, but maybe in SEA or China where LAN cafes are more prevalent, it could be a larger concern.
The one implication that I (the author) should highlight for the extra paranoid - this exploit extends to ISP's and cloud vendors that traffic is routed through. Anywhere in the trace route can MITM. It depends on how much you trust those parties.
tried in some communities of gamedev to talk about security but i gave up. i think the main sentiment is not to care at all. so many games have or had trivial exploits. enabling mass cheating, harasment of other players (DOS) and more nefarious stuff. for people whwo think the mitm wont affect them... thats a silly stance. people hack home routers on massive scales. (another domain who doesnt seem to give shits about security)
> This also opens the door up to an entrypoint on PS5.
Does he mean that this is potentially how one could install custom firmware on their console?
Curious because I remember reading somewhat recently that console vendors have locked their consoles down well enough so as to avoid any vulnerabilities which could be exploited to install custom firmware. It would be amusing if that was invalidated by game dev security and I start hearing about ways to install some modded firmware, which include a step of "install one of these games".
IIRC, the web browser on 3DS systems was exploited to install custom firmware rather than a game so it was rather easily patched with a system update (and, indeed, it actually was patched). I wonder if we'll be seeing Sony/Nintendo/Microsoft start to insist on certain security standards as a result of games being exploited to install custom firmware on the devices they sell, presuming the answer to my first question is affirmative.
> Does he mean that this is potentially how one could install custom firmware on their console?
Sort of. It's a userland code execution exploit, which is often the first step, but all games run in a locked down VM specifically to protect against things like this, so you still need a kernel/hypervisor exploit to escape the VM and actually mess with the system in any significant way.
Thanks for the explanation. That helps complete the picture another comment (https://news.ycombinator.com/item?id=42921799) started about “funny machines”. I do believe the measures they’ve taken to protect against malicious payloads are going to be tested rather relentlessly.
PS5 games are sandboxed, so it only allows an entrypoint to run code. For full PS5 exploitation, another chain is needed to go break out of the sandbox.
Readit News
This is the worst possible combination: players are forced to accept first-party invasive rootkits that are disruptive and ineffective, while cheaters still cheat.
IMHO the only sensible solution is to separate out e-sports angle from the game itself. People who want to "go pro" would be free to subject themselves to anti-cheats and drinking verification cans and past some point might as well buy company-authorized computers to play on. Everyone else should just be allowed to play casually and enjoy the game without the anti-cheat nuisance (and a looming threat of false positive).
With main incentive for serious cheating separated out, non-pro players would only have to worry about griefers. Those are a problem too, but they can be dealt with by simpler and less invasive measures than a kernel-level rootkit.
As it is, AAA multiplayer games are basically like if FIFA was to micromanage Town Recreational Leagues and hold them to the World Cup standard, because cheating is a Big Deal so every kid needs to take regular blood tests before the match.
Esports money...? Micro transactions is the money. Publisher driven esports is advertising.
Publishers will pay to have 0level kernel ring on your system but not for software securing their game.
> the game runs with admin privileges for the sake of anti-cheat
Nobody higher than the devs thought “this might be risky?”
Because can assure you, the devs felt it stupid and risky.
Your “Everyone thinks their making doom 3”. As I see this is not the developer fault.
The "yes I really want to do this" confirmations you need to go through when opening up a bucket these days are about 4 deep...
Authn/z issues are real though, they'll never be fixed
I wouldn't expect anything but code that "ships" out of them, and its understandable why.
Now you might say, those companies are irresponsible and that well maintained open source software doesn’t have this issue. That would mean no 0 days for linux [5], and that the most battle tested libraries in the world are immune from basic issues [6][7].
Software engineering is broken, it’s not just games. (Although, if you think physical construction is any better I suggest you stick a T square in the corners of your house and figure out how many of your walls aren’t square ). You
[0] https://mrbruh.com/chattr/
[1] https://news.ycombinator.com/item?id=42849632
[2] https://en.m.wikipedia.org/wiki/2024_CrowdStrike-related_IT_...
[3] https://www.csoonline.com/article/2138177/atlassians-conflue...
[4] https://techcrunch.com/2021/07/22/a-dns-outage-just-took-dow...
[5] https://www.indusface.com/blog/rce-zero-day-vulnerabilities-...
[6] https://en.m.wikipedia.org/wiki/Log4Shell
[7] https://heartbleed.com/
But it is way ahead with regards to efficient hardware utilization!
These are game developers. Not backend developers. Not web guys. Not remotely trained in infosec. They make games. Not security software. And for the longest time this was acceptable.
I think for a GaaS in 2025 it's unacceptable to not have security minded engineers on staff for the backend stuff. Too much money is involved not to. Especially for studios very familiar with shipping online games.
But I'm also kind of disappointed in how much we're forgetting that these people are not infosec nerds. Last year there was a cute fishing game made by a single dude messing around making things. It got popular and a kid found an RCE bug with the multiplayer. The dude got a TON of shit for the flaw, which feels deeply unfair. I don't expect my mom to configure a router correctly. I don't expect video game developers to understand defensive network programming without training.
Maybe I'm just a little frustrated at the Internet largely unable to understand that defensive programming is something that isn't in a game devs trained skills. I would expect better of Netease however
Deleted Comment
If anything these devs should be more cautious than the others as the risk to the end user is extreme.
Why do game developers get a pass but not "backend developers" or "web guys"? Don't the latter only "make CRUD apps, not security software"?
Nice PoC!
Update: yes, most game client processes don't run in the kernel. My b. I was just thinking that updates and content payloads might be an interesting vector for langsec.
Reminder that all three Dark Souls games allowed full RCE to any users connected to the internet: https://flashpoint.io/blog/rce-vulnerability-dark-souls/
Essentially all you're asking for them to add is better specs.
In December their revised branding guidelines added a "Powered by SteamOS" badge so presumably 3rd-party boxes with various specs in set-top form factors will be coming before too long:
> The Powered by SteamOS logo indicates that a hardware device will run the SteamOS and boot into SteamOS upon powering on the device. Partners / manufacturers will ship hardware with a Steam image in the form provided by and/or developed in close collaboration with Valve.
I strongly doubt it. Steam already tried releasing a console alternative, Steam boxes, and they massively flopped. By and far the main reason for the Steam deck's success is its portable form factor, not the fact that it's a linux machine that runs games. It succeeded in spite of the software, not because of it.
The overwhelming majority of users are going to want either a "real" (read: Windows) PC, or a "real" (read: the same one their friends have) console.
To not go full Dropbox, but I think if someone wants a Linux PC to run games, it is within the realm for a home PC builder to accomplish. It would otherwise be a tough market to sell, “Buy this gamer PC, less great specs than you would likely pick for yourself and not compatible with the most popular games that have onerous anti-cheat root kits”.
I'm not a Windows guy and trying to figure this out has been extremely frustrating...
Full instructions https://chatgpt.com/share/67a13960-c1b4-8002-a699-7b547c759c...
You can also skip the UAC prompt without editing the registry, by adding the following to the game's launch options in Steam:
cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %command%"
Unfortunately both the executives who buy into these things, and the average consumer, are simply too... simple, to understand or appreciate that.
With all due respect, it’s ironic that you’re calling everyone else simple.
Something doesn’t have to be. 100% effective to be a massive deterrent. Cheat prevention is a game of cat and mouse and anti cheat is one of the levers. Here[0] is an example of a popular game with no anti cheat which was completely ruined by cheaters. Did putting EAC into the game stop every single cheater? No. But it did make the experience better for a significant number of players who were having their games destroyed by cheaters.
[0] https://www.pcgamer.com/fall-guys-adding-anti-cheat-in-the-n...
"sake of anti-cheat" should be taken lightly here. There is a reason why all the other sane anti-cheats have at least two applications, the anti cheat service which often runs as admin, and the game, which does not. Running the game as admin is quite frankly inexcusable.
The service often does the network comms and communicates to a kernel-mode driver and/or to the application via IPC or similar. Having defined barriers of separation are good things.
In any case, this POC doesn't have huge implications necessarily for most people, but maybe in SEA or China where LAN cafes are more prevalent, it could be a larger concern.
good writeup! thanks!
Does he mean that this is potentially how one could install custom firmware on their console?
Curious because I remember reading somewhat recently that console vendors have locked their consoles down well enough so as to avoid any vulnerabilities which could be exploited to install custom firmware. It would be amusing if that was invalidated by game dev security and I start hearing about ways to install some modded firmware, which include a step of "install one of these games".
IIRC, the web browser on 3DS systems was exploited to install custom firmware rather than a game so it was rather easily patched with a system update (and, indeed, it actually was patched). I wonder if we'll be seeing Sony/Nintendo/Microsoft start to insist on certain security standards as a result of games being exploited to install custom firmware on the devices they sell, presuming the answer to my first question is affirmative.
Sort of. It's a userland code execution exploit, which is often the first step, but all games run in a locked down VM specifically to protect against things like this, so you still need a kernel/hypervisor exploit to escape the VM and actually mess with the system in any significant way.
Just build a JSON API! It's not that hard! You don't need to RCE your game every time it launches just for microtransactions.
I agree that a JSON API is a better approach, but it's possible for AAA game developers to screw that up too: https://arstechnica.com/gaming/2021/03/developers-to-update-...